
Trump Administration Executive Order (EO) Tracker
On March 20, 2025, the new Federal Law for the Protection of Personal Data held by Private Parties (LFPDPPP of 2025) was published in the Official Gazette of the Federation. The LFPDPPP of 2025 entered into force on March 21, 2025 and abrogates the homonymous law published in 2010.
As a consequence of the disappearance of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), the LFPDPPPPP of 2025 establishes that the material and financial resources of the INAI will be transferred to the Ministry of Anti-Corruption and Good Governance, which becomes the new authority in charge of personal data protection. This Secretariat will have the purpose of disseminating knowledge about the right to personal data protection, promoting its exercise, and monitoring compliance with the applicable provisions. Proceedings pending before the entry into force of the LFPDPPP of 2025 before the INAI will continue to be addressed in accordance with the regulations in force at the time of their initiation, but now they will be handled by the Ministry of Anti-Corruption and Good Governance.
Authored by Guillermo Larrea, Ana Rumualdo, and Victoria Villagómez.
The amendments incorporated by the LFPDPPP of 2025 represent a comprehensive transformation in the personal data protection regime. These reforms not only strengthen the rights of data subjects, but also considerably raise the obligations of data controllers and processors. The law imposes higher standards of legality, transparency, security and proactive responsibility. In this context, companies will need to take immediate steps to align their operations with the new regulatory framework.
First, it is essential that each organization performs a comprehensive audit of the data sources it uses, in order to identify those that do not comply with the new legal definition and could represent a legal risk. Simultaneously, contracts with suppliers and business partners should be reviewed and updated, precisely delimiting the roles of data controller and data processor in accordance with the updated definition of the law.
Additionally, companies should review and update all Privacy Notices, both in their comprehensive and simplified versions, incorporating the new mandatory elements and eliminating those that are no longer required. Although it is no longer mandatory to report on data transfers, it is recommended to maintain such information to promote transparency and align with international frameworks such as the European GDPR.
Regarding consent, companies should clearly identify which processing operations can be carried out without requiring express authorization, ensuring that there is support in a valid legal provision. This implies active monitoring of new regulations and criteria issued by regulatory authorities.
Another central aspect will be the establishment of clear policies on data retention and deletion, with defined deadlines and effective blocking processes. This requirement must be duly documented and supported by adequate technical procedures.
The enhanced confidentiality obligation will require the signing of agreements with all those involved in data processing, as well as the implementation of access control mechanisms, ongoing training, and internal audits to ensure compliance.
Finally, companies must adapt the procedures for handling ARCO requests, ensuring that the formal requirements are met and that the responses include detailed information on the processing. The company must guarantee that data subjects have easy access to their data and to the mechanisms for exercising their rights, including specific measures for dealing with requests related to automated decisions or artificial intelligence.